01-19-2009 11:11 AM - edited 03-06-2019 03:31 AM
Hello -
I want to allow access to two systems behind a router and have achieved part of that, but for some reason, the additional ip scopes added don't have access using access-list 101. Can someone please look at my config and let me know what I may be missing? Thanks
Solved! Go to Solution.
01-20-2009 01:23 AM
Christopher
Sorry about the confusion. As Victor says we are just messing around but i can see how it might have been taken out of context. No offence intended from either of us.
"Allow any IP to telnet to int F0/0 (195.85.24.4)
Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5
deny all other access"
Yes your acl will do this altho i'm assuming 10.13.3.2 is a typo as your acl references 10.13.2.3 ?
Jon
01-19-2009 11:16 AM
Christopher
Your access-list -
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389
the 4th line says -
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
so the permits for the 195.85.x subnets after this line will never be hit because the deny is line is hit first. You need to reorder your access-list to
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
Jon
01-19-2009 11:23 AM
Hello Jon -
I have added that order but when I add to the config it still shows the same order as I have above?
ip access-list extended CRFementerNAT
deny ip 10.13.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.255.255.255 any
remark allow new Genencor / Danisco IP range
permit ip 195.85.0.0 0.0.255.255 any
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389
no cdp run
01-19-2009 11:24 AM
Did you remove the access-list ie.
no access-list 101
and then cut and paste the new one back in ?
Jon
01-19-2009 11:25 AM
Jon -
I am remote from the router and using telnet, if I do this I lose connection to the router.
01-19-2009 11:32 AM
Okay, remove the acl from the interface ie.
int s0/0
no ip access-group 101 in
then do as previously suggested and reapply. Just make sure you get the line right that allows you remote access.
Jon
01-19-2009 11:30 AM
Jon -
Disregard last post. I did do that. I will test and let you know if this resolves the issue. Thanks
01-19-2009 11:41 AM
No problem. Please note there is a typo in my previous post -
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
should read
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.120.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.121.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.122.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.124.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
ie. the "access-list 101 deny ip 195.85.0.0 0.0.255.255 10.0.0.0 0.255.255.255" line should only appear second line from end and not as the 4th line as well.
Apologies for that.
Jon
01-19-2009 11:30 AM
What kind of cockamamie access list is that? You deny all traffic coming from the entire class B network of 195.85.0.0 and heading to the entire class A network of 10.0.0.0, but then you try to allow traffic with the same source and destination right after that. And whats with the "permit ip any any" statement in the middle of the access list?
[Excuse the cross post, Jon.]
01-19-2009 11:39 AM
Please help me understand how I can allow what I have listed in the ACL and deny everything else? Thanks
01-19-2009 11:45 AM
Hi Victor
"[Excuse the cross post, Jon.]"
No problem. I think the idea of the acl is to permit certain traffic between 195.85.x.x and 10.13.x.x and then deny all other traffic between 195.85.x.x and 10.13.x.x but then also allow any other traffic from different source addresses and potentially different destination addresses.
You know i wasn't going to write this but knowing what a good sense of humour you have -
apologies if the above was too excruciating in it's detail :-)
Jon
01-19-2009 12:30 PM
OK I have modified my ACL to make it little easier to manage. Please let me know if this will work for what I want to accomplish? Thanks
access-list 101 permit tcp any host 195.85.24.4 eq telnet
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.24.0 0.0.0.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.2.3 eq 3389
access-list 101 permit tcp 195.85.119.0 0.0.3.255 host 10.13.10.5 eq 3389
access-list 101 permit tcp 195.85.123.0 0.0.1.255 host 10.13.10.5 eq 3389
access-list 101 deny any any
01-19-2009 01:35 PM
Christopher
You haven't actually told us what you want to accomplish :-). But what this access-list does is to
1) allow any IP address to access 195.84.24.4 using telnet
2) then allow terminal services (3389) from a number of 195.85.x.x subnets to particular hosts in the 10.13.x.x range
3) deny all other access
Jon
01-19-2009 02:50 PM
Jon -
This is what I want to accomplish the ACL.
Allow any IP to telnet to int F0/0 (195.85.24.4)
Allow TS from the 195.85.x.x subnet specified in the ACL access to the two systems 10.13.3.2 and 10.13.10.5
deny all other access
With the ACL will this work?
01-19-2009 02:33 PM
Youre a regular riot, Alice. :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide